It’s this subkey that we’ll use for SSH authentication. Note the showing that one of our subkeys has the authenticate capability. Once you have your GPG key, the output from gpg -K should look something like the following. Note however that since GnuPG 2.1, you can delete the private part of your master key by deleting the appropriate file (named by keygrip, which you can obtain using gpg -K -with-keygrip) in ~/.gnupg/private-keys-v1.d so you shouldn’t need to -export-secret-subkeys and re-import them.
#OSX UNINSTALL GPG MAIL OFFLINE#
I won’t describe this process as there are plenty of blog posts out there that do, but in brief I would recommend creating a non-expiring master key with only the (certify) capability – perhaps keeping this offline – and expiring subkeys for each other capability, as described in this post.
If you don’t already have a GPG key/subkey with the (authenticate) capability, you’ll need to generate one first.
#OSX UNINSTALL GPG MAIL MAC#
When not at a Mac or laptop and using mobile devices (iOS) we use an app called Secumail, which utilizes the same Open PGP keys. I mainly used bootc’s wiki page and the notes on, changing a few things in search of a cross-platform solution for macOS 10.12 and Debian 9 so that I have a unified set of config files that can be synced using git. Since 2011 we have been using GPG Suite for macOS email / messages. The basic idea is that instead of using ssh-agent for SSH authentication, we’ll use gpg-agent. Since GnuPG 2.1 this has become much easier, and whilst there are some good tutorials out there, some are out of date.
If you have a GPG key, it makes sense to also use it for SSH authentication rather than generating a separate key.